GoScanSSH, a new strain of malware written in Golang (Go), has been targeting Linux-based SSH servers exposed to the internet \u2014 as long as those systems do not belong to the government or military.In a new report, Cisco\u2019s Talos Intelligence Group explained several other \u201cinteresting characteristics\u201d of GoScanSSH, such as the fact that attackers create unique malware binaries for each host that is infected with the malware.The researchers first learned the malware had infected an Ubiquiti Enterprise Gateway Router; they have since discovered more than 70 unique GoScanSSH malware samples. After finding multiple versions of the malware in the wild, they warned that \u201cthis threat is continuing to be actively developed and improved upon by the attackers.\u201dUsernames and targeted devicesFor the initial infection, the malware uses more than 7,000 username\/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service \u201cin an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.\u201dThe researchers determined the attack has been ongoing for at least nine months \u2014 since June 2017 \u2014 and has at least 250 domains; \u201cthe C2 domain with largest number of resolution requests had been seen 8,579 times.\u201dGoScanSSH malware scans for additional vulnerable SSH servers exposed to the internet that can be infected, but it goes out of its way to avoid military or government systems. Talos explained that the scanning and identifying of additional vulnerable servers \u201cis performed by first randomly generating an IP address, avoiding special-use addresses.\u201dIt then compares the IP address to a list of CIDR blocks that the malware will not attempt to scan. The contents of this list are network ranges primarily controlled by various government and military entities, specifically avoiding ranges assigned to the U.S. Department of Defense as listed here. Additionally, one of the network ranges in the list is assigned to an organization in South Korea. If the selected IP falls into these network ranges, it is discarded and a new IP address is generated.If the malware can connect to the IP address via TCP\/22, it performs a reverse DNS lookup to determine if the IP address is related to a domain. If it is related to a domain, then that domain is checked against a list of domains to make sure it isn\u2019t related to government and military entities. If it is related, then the IP is changed.Government and military on GoScanSSH\u2019s domain blacklistTalos provided both an IP blacklist and a domain blacklist that the malware uses to determine if it should continue attempts to compromise the system. Some of those domains include: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.If the system or device is on neither set of blacklists, Talos \u201cbelieves the attacker then compiles a new malware binary specifically for the compromised system and infects the new host, causing this process to repeat on the newly infected system.\u201dThe researchers intend to continue monitoring and tracking the attack. If interested, they provided the blacklists, IOCs, domains associated with the malware and additional technical details about GoScanSSH.